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REMARKS 

Examiner rejected claims 1-4 under 35 U.S.C. §101 as being directed to non-statutory 
subject matter. Examiner said that the claims preempt every substantial practical application of 
the idea that is embodied by the claims. Applicants do no such thing because ideas are not 

■ 

patentable, only devices, methods, compositions of matters, and improvements thereto. 
Applicants submit that claims 1-2 concern devices, which are patentable subject matter, and that 
the components of said devices are described with particularity. Applicants submit that claims 3- 
4 concern methods, which are patentable subject matter, and that the steps of said methods are 
described with particularity. Examiner also said that Applicants' device and method are so broad 
and sweeping as to cover both known and unknown uses of a pseudo-random bit sequence. 
Applicants do no such thing. Applicants submit that claims 1-4 only cover the particular devices 

i 

and methods described in claims 1-4 and nothing else, that any use of a particular pseudo-random 
bit sequence is not covered by claims 1-4, and that only the particular devices and methods 
described in claims 1-4 are covered. Examiner suggested amending the claims to include specific 
implementation of which the claimed invention may be used. Applicants submit that the claims 
are already specific as to what components make up the devices, what steps make up the 
methods, and what the devices and methods are used for (i.e., generating an uncorrelated pseudo- 
random bit sequence uniformly distributed over a user-definable value K, where K+l has m 
prime factors). 

Per Examiner's request, Applicants add claims 5 and 6 to include an application of the 
invention for cryptographic systems. 

F 
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Examiner rejected claims 3-4 under 35 U.S.C. § 103(a) as being unpatentable over U.S. 
Pat. No. 5,446,683 (Mullen) in view of U.S. Pat. No. 5,974,144 (Brandman). 

* 

With regard to claim 3, Examiner said that Mullen discloses a method of generating an 
uncorrelated pseudo-random bit sequence by generating m pseudo-random bit sequences, rl, 
r2,. . .,rm, and generating the uncorrelated pseudo-random sequence. Mullen does not generate an 
uncorrelated pseudo-random sequence but instead generates a series of pseudo-random sequences 
using a series of Linear Feedback Shift Registers (LFSRs). As evidenced by the attached 
Wikipedia definition of an LFSR, an LFSR consists of a number of flip-flop registers and 
exclusive-or, or XOR, gates. As evidenced by the attached Wikipedia definition of XOR, an 
XOR performs addition modulo two. Therefore, it does not perform multiplication of prime 
factors and pseudo-random sequences (Claim 3, page 13, line 4) as do Applicants. 

Examiner admits that Mullen does not disclose selecting a user-definable value K, where 
K is a positive integer; factoring K+l into m prime factors q„ q 2 ,. . .,q m ; using pseudo-random 
sequences uniformly distributed over a range (0, . . .q. ,), where i = 1 ,2,. . .,ra; or generating an 
uncorrelated pseudo-random sequence R = r I +q I r 2 +q,q 1 r 3 +. . .+q,q 2 . . .c^.^, as do Applicants. 

However, Examiner said that Brandman discloses selecting a user-definable value K, 

♦ 

where K is a positive integer; factoring K+l into m prime factors q p q 2 ,. . .,q m ; using pseudo- 
random sequences uniformly distributed over a range (0,. . .q M ), where i = 1,2,. . .,w; and 
generating an uncorrelated pseudo-random sequence R = rj+q^+q^r^. . .+qjq 2 . . .q^.,^, as do 
Applicants. 

Examiner's citation discloses no such thing. Instead Examiner's citation discloses the 
RSA public-key cryptographic method, which is nothing like Applicants' method of generating 

» 

an uncorrelated pseudo-random bit sequence. As evidenced by the attached pages of Applied 
Cryptography, 2 nd Ed. , the RSA algorithm discloses the steps of choosing two large prime 
numbers (i.e.,/>, q\ multiplying them together (i.e., n = pq\ choosing an encryption key e so that 
e is relatively prime to (p-l)(#-l), and computing a decryption key d so that ed is equal to (1 
(mod(p-l)(<7-l)). Then, a message m can be encrypted to produce ciphertext c by computing (m 
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mod n). The plaintext m can then be recovered by computing {c mod n). The steps of the RSA 

s 

algrithm are nothing like those of Applicants' Claim 3 (Claim 3, page 12 line 18- page 13, line 

Examiner then said that Brandman does not disclose using prime factors to generate an 
uncorrected pseudo-random sequence R = r l +q,r 2 +q,q 2 r 3 +. . .+q,q 2 . . .q m _ir„ t , as do Applicants. 
Previously, Examiner said that it did. Therefore, Applicants request Examiner to state what he 
think Brandman discloses, because Brandman cannot both disclose generating an uncorrelated 
pseudo-random sequence R = r,+q,r 2 +q l q 2 r 3 +. . .+q,q 2 . . .q m . t r m and not disclosing it. 

Then Examiner said that it would have been obvious to one of ordinary skill in the art to 
incorporate prime factors into the sequence to achieve the same predicted result. First, Brandman 
does not disclose generating an uncorrelated pseudo-random sequence 
R = r I +q,r 2 +q 1 q 2 r 3 +. . .+q,q 2 . . .q m _,r m as do Applicants. Second, Brandman discloses the RSA 
public-key algorithm, which is not a pseudo-random number generator. Third, adding prime 
factors to Brandman produces a modified RSA public-key algorithm, not Applicants' method. 
Fourth, it would not be obvious to anyone skilled in the art to modify the RSA public-key 
algorithm to arrive at Applicants' method. 

Examiner then said that it would have been obvious to one of ordinary skill in the art to 
modify Mullen by incorporating prime factors and prime factorization in a cryptographic system, 
as taught by Brandman, to achieve a level of security in a pseudo-random sequence environment 
such as one used in the areas of encryption and cryptography. Mullen does not include 
multiplication as does Applicants' method. Therefore, Mullen could not use prime factors to 

* 

produce a pseudo-random number as do Applicants. In addition, Applicants do not involve 
achieving any level of security for cryptography, but is only concerned with producing an 
uncorrelated pseudo-random number. Therefore, is would not have been obvious to incorporate 
prime factors into Mullen, because that would destroy the intent of Mullen. 

* 

With regard to claim 4, Examiner said that Mullen and Brandman does not disclose that 
q p q 2 ,. . .,q m are ordered from smallest value q, to largest value q m . However, Examiner took 
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official notice that it would have been obvious to one skilled in the art to manipulate the factors 

* 

in this way to achieve the predicted result of an uncorrected pseudo-random sequence. 
Applicants challenges Examiner's factual assertion as not properly officially noticed and not 
properly based upon common knowledge. Examiner's error includes the fact that Mullen does 
not include multiplication but only addition as described above, that Brandman discloses the 
RS A public-key cryptographic algorithm and not a pseudo-random number generator, that 
providing prime factors to Mullen would not result in the pseudo-random number generated by 
Applicants. 

Applicants hereby amend their application per Examiner's request for a set of claims 
concerning a cryptographic application. However, since Applicants' invention is not limited to 
cryptographic applications, Applicants retain claims 1 and 2. 

A new fee determination is provided that shows that Applicants need not provide any 
additional fee to have these added claims examined. 

Reconsideration of the application in light of the amendment and the remarks is 
requested. Applicants request Examiner withdraw his rejections and allow claims 1-6. 



Respectfully submitted, 




Robert D. Morelli 
Registration No. 37,398 
(301)688-0287 
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Linear feedback shift register 



From Wikipedia. the free encyclopedia 

A linear feedback shift register (LFSR) is a shift register whose input bit is a linear function of its previous state. 

The only linear functions of single bits are xorand inverse-xor; thus it is a shift register whose input bit is driven by the exclusive-or (xor) of some bits of the overall shift register value. 

The initial value of the LFSR is called the seed, and because the operation of the register is deterministic, the sequence of values produced by the register is completely determined by its 
current (or previous) state. Likewise, because the register has a finite number of possible states, it must eventually enter a repeating cycle. However, a LFSR with a well-chosen feedback 
function can produce a sequence of bits which appears random and which has a very long cycle. 

Applications of LFSRs include generating pseudo-random numbers, pseudo-noise sequences, fast digital counters, and whitening sequences. Both hardware and software implementations 
of LFSRs are common. 



Contents 



1 Fibonacci LFSRs 

2 Output-stream properties 

3 A drop in replacement for Gray Code counters 

4 Galois LFSRs 

5 Applications 

■ 5. 1 Uses in cryptography 

■ 5.2 Uses in digital broadcasting and communications 

6 See also 

7 External links 



Fibonacci LFSRs 



The list of the bits positions that affect the next state is called the tap sequence. In the diagram below, the sequence is [16,14,13,1 1,0]. In a Fibonacci LFSR, as below, the taps are XOR'd 
sequentially with the output and then feed back into the leftmost bit. 

■ The outputs that influence the input are called taps (blue in the diagram below). 

■ A maximal LFSR produces an n-sequence (i.e. cycles through all possible 2 n - l states within the shift register except the state where all bits are zero), unless it contains all 
zeros, in which case it will never change. 

The sequence of numbers generated by a LFSR can be considered a binary numeral system just as valid as Gray code or the natural binary code. 

The tap sequence of an LFSR can be represented as a polynomial mod 2. This means that the coefficients of the polynomial must be I's or 0's. This is called the feedback polynomial or 
characteristic polynomial. For example, if the taps are at the 16th, 14th, 13th and I Ith bits (as below), the resulting LFSR polynomial is: 



The 'one' in the polynomial does not correspond to a tap - it corresponds to the input to the first bit (i.e. x°, which is equivalent to 1). The powers of the terms represent the tapped bits, 
counting from the left. The first and last bits are always connected as an input and tap respectively. 

■ If (and only if) this polynomial is a primitive, then the LFSR is maximal 

■ The LFSR will only be maximal if the number of taps is even 

■ There can be more than one maximal tap sequence for a given LFSR length 

■ Once one maximal tap sequence has been found, another automatically follows. If the tap sequence, in an n-bit LFSR, is [n,A,B,C,0], where the 0 corresponds to the x° - l tenn, 
then the corresponding 'mirror' sequence is [n,n-C,n-B,n-A,0]. So the tap sequence [32,3,2,0] has as its counterpart [32.30,29,0]. Both give a maximal sequence. 
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Output 



Output-stream properties 



Ones and zeroes occur in 'runs'. The output stream 01 10100, for example consists of five runs of lengths 1,2,1,1,2, in order. In one period of a maximal LFSR, 2 n " 1 runs occur 
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(for example, a six bit LFSR will have 32 runs). Exactly l / 2 of these runs will be one bit long, l / 4 will be two bits long, up to a single run of zeroes n - 1 bits long, and a 
single run of ones n bits long. This same property is statistically expected in a truly random sequence. 

■ LFSR outputs streams are deterministic. If you know the present state, you can predict the next state. This is not possible with truly random events such as nuclear decay. 

■ The output stream is reversible; an LFSR with mirrored tap sequence will cycle through the states in reverse order. 

A drop in replacement for Gray Code counters 

> 

Some applications need to mark individual locations along a certain distance with unique values. For example, most tape measures mark each inch or centimeter with a unique number using 
the decimal numeral system. When computer index or framing locations need to be machine-readable, they are often marked using a LFSR sequence, because LFSR counters are simpler 
and faster than any other kind of binary counter. LFSRs are faster than natural binary counters and Gray code counters. Given an output sequence you can construct a LFSR of minimal size 
by using the Berlekamp-Massey algorithm. 

Galois LFSRs 

Named after the French mathematician Evariste Galois, a Galois LFSR, or an LFSR in Galois configuration, is an alternate structure that can generate the same output sequences as a 
conventional LFSR. In the Galois configuration, when the system is clocked, bits that are not taps are shifted as normal to the next flip-flop. The taps, on the other hand, are XOR'd with the 
new output, which also becomes the new input. These won't be shifted in until the next clock cycle. 



To generate the same output sequence, the order of the taps is the counterpart (see above) of the order for the conventional LFSR, otherwise the sequence will be in reverse. Note that the 
internal state of the LFSR is not necessarily the same. The Galois register above has the same output as the Fibonnacci register in the first section. 

■ Galois LFSRs do not concatenate every tap to produce the new input (the XOR'ing is done within the LFSR and no XOR gates are run in serial, therefore the propagation times 
are reduced to that of one XOR rather than a whole chain), thus it is possible for each tap to be computed in parallel, increasing the speed of execution. 

■ In a software implementation of an LFSR, the Galois form is more efficient as the XOR operations can be implemented a word at a time: only the output bit must be examined 
individually. 

Below is example of 32-bit maximal period Galois LFSR simulated in C: 



unsigned int lfsr = 1; 
while (1) 

lfsr = (lfsr » 1) * (-(signed int) (lfsr & 1) & OxdOOOOOOlu) ; /* taps 32 31 29 1 */ 



Applications 



LFSRs can be implemented in hardware, and this makes them useful in applications that require very fast generation of a pseudo-random sequence, such as direct-sequence spread spectrum 
radio. 

The Global Positioning System uses a LFSR to rapidly transmit a sequence that indicates high- precision relative time offsets. The Nintendo Entertainment System video game console also 
has a LFSR as part of its sound system. ([I] (http://nocash.emubase.de/everynes.htm)) 



Uses in cryptography 



LFSRs have long been used as a pseudo-random number generator for use in stream ciphers (especially in military cryptography), due to the ease of construction from simple 
electromechanical or electronic circuits, long periods, and very uniformly distributed outputs. However the outputs of LFSRs are completely linear, leading to fairly easy cryptanalysis. 

Three general methods are employed to reduce this problem in LFSR based stream ciphers 

■ Non- linear combination of several bits from the LFSR state; 

■ Non-linear combination of the outputs of two or more LFSRs; or 

■ Irregular clocking of the LFSR, as in the alternating step generator. 

Important LFSR-based stream ciphers include A5/1, A5/2, EO, and the shrinking generator. 
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Uses in digital broadcasting and communications 



To prevent short repeating sequences (e.g., runs of O's or I's) from forming spectral lines that may complicate symbol tracking at the receiver or interfere with other transmissions, linear 
feedback registers are often used to "randomize" the transmitted bitstream. This randomization is removed at the receiver after demodulation. When the LFSR runs at the same rate as the 
transmitted symbol stream, this technique is referred to as scrambling. When the LFSR runs considerably faster than the symbol stream, expanding the bandwidth of the transmitted signal, 
this is direct -sequence spread spectrum. 

Neither scheme should be confused with encryption or encipherment; scrambling and spreading with LFSRs do not protect the information from eavesdropping. 
Digital broadcasting systems that use linear feedback registers 



■ ATSC Standards (HDTV transmission system - North America) 

■ DAB (Digital audio broadcasting system -- for radio) 

■ DVB-T (HDTV transmission system - Europe, Australasia) 

■ NICAM (digital audio system for television) 

Other digital communications systems using LFSR: 



■ IBS (INTELSAT business service) 

■ IDR (Intennedaite Data Rate service) 

■ SDI (Serial Digital Interface transmission) 

■ Data transfer over PSTN (according to the ITU-T V-series recommendations) 



■ International Telecommunications Union Recommendation 0. 1 5 1 (http://www.itu.int/rec/T-REC-0.15UI992IO-l/en) (August 1992) 

■ Maximal Length LFSR table (http://www.xil inx.com/bvdocs/appnotes/xapp052.pdf) with length from 3 to 168 

■ Maximal Length LFSR table (http://www.physics.otago.ac.nz/px/researclVelectro^ with length from I to 786, also 1024 and 2048. 

■ Pseudo- Random Number Generation Routine (http://www.max im-ic. com/a ppnotes.cfm?appnote_number= 1 743&CMP=WP-9) 

■ htrp://www.ee.ualberta.ca/^lliott/ee552/studentAppNotes/1999f/Drivere_Ed/lfsr.html 

■ http://www.quadibloc.com/crypto/co04080 1 .htm 

■ Simple explanation of LFSRs for Engineers (http://www.yikes.com/~ptolemy/lfsr_web/index.htm) 

■ Feedback terms (http://www.ece.cmu.edu/~koopman/lfsr/index.html) 

■ General LFSR Theory (http://homepage.mac.com/afj/lfsr.html) 

■ Table of Maximal Tap Sequences (hrrp://homepage. mac.com/afj/taplist. html) 

■ Shift register code generator (http://www-rocq.inria.fr/codes/LFSR/index.htmt) 



Retrieved from "http://en.wikipedia.org/wiki/Linear_feedback_shift_register" 
Categories: Digital registers | Cryptographic algorithms | Pseudorandom number generators 
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XOR gate 
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From Wikipedia. the free encyclopedia 

The XOR gate is a digital logic gate that implements exclusive disjunction - it behaves according to the truth table to the right. A HIGH output (1) results if one, 
and only one, of the inputs to the gate is HIGH (1). If both inputs are LOW (0) or both are HIGH (1), a LOW output (0) results. 

This function is addition modulo 2. As a result, XOR gates are used to implement binary addition in computers. A half adder consists of an XOR gate and an 
AND gate. 
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Symbols 



There are two symbols for XOR gates: the 'military' symbol and the 'rectangular' symbol. For more information see Logic Gate Symbols 



•Military" XOR Symbol 




'Rectangular* XOR Symbol 



Hardware description and pinout 



XOR gates are basic logic gates, and as such they are recognised in TTL and CMOS ICs. The standard, 4000 series, CMOS IC is the 4070, which includes four independent, two-input. 
XOR gates. The 4070 replaces the less reliable 4030, but keeps the pinout. The pinout diagram is as follows: 
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This device is available from most semiconductor manufacturers such as Philips. It is usually available in both through-hole DIL and SOIC format. Datasheets are readily available in most 
Datasheet Databases. 



Alternatives 

If no specific XOR gates are available, one can be made from four NAND or five NOR gates in the configurations shown below. Interestingly, any logic gate can be made from a 
combination of NAND gates or a combination of NOR gates. 
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XOR gate constructed using only NAND gates 



XOR gate constructed using only NOR gates 



More than two inputs 



The XOR operation is a binary operation and is therefore defined only for two inputs. I 'Mt is nevertheless common in electronic design to talk of "XORing" three or more signals. 

The most common interpretation of this usage is that the first two signals are fed into an XOR gate, then the output of that gate is fed into a second XOR gate together with the third signal, 
and so on for any remaining signals. The result is a circuit that outputs a I when the number of Is at its inputs is odd, and a 0 when the number of incoming Is is even. This makes it 
practically useful as a parity generator or a moduIo-2 adder. 

A second interpretation is also possible, based on both the linguistic sense of the term "exclusive OR" and the IEC symbol for an XOR gate (see right). This 
interpretation states that the output is 1 when one or other of the inputs, exclusively, is 1. The "=1" in the IEC symbol implies the same thing. However, the 
IEC symbol was not intended to be modified by adding further inputs, and becomes invalid when this is done. This interpretation is rarely used in 
electronics, since parity generators and adders are in more common use than " I of n" detectors. 



See also 



XNOR gate 

Boolean algebra (logic) 

Logic gates 
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Chapter 19 Public-Key Algorithms 



\ 

Other algorithms have been proposed that use ideas similar to those used in knap\ 
sack cryptosystems, but these too have been broken. The Lu-Lee cryptosystem 
[990,13] was broken in [20,614,873]; a modification [507] is also insecure [1620]. 
Attacks on the Goodman-McAuley cryptosystem are in [646,647,267,268]. The 
Pieprzyk cryptosystem [1246] can be broken by similar attacks. The Niemi cryp- 
tosystem [1169], based on modular knapsacks, was broken in [345,788]. A newer 
multistage knapsack [747] has not yet been broken, but I am not optimistic. Another 
variant is [294]. 

While a variation of the knapsack algorithm is currently secure— the Chor-Rivest 
knapsack [356], despite a "specialized attack" [743]— the amount of computation 
required makes it far less useful than the other algorithms discussed here. A variant, 
called the Powerline System, is not secure [958]. Most important, considering the 
ease with which all the other variations fell, it doesn't seem prudent to trust them. 

Patents 

The original Merkle-Hellman algorithm is patented in the United States [720] and 
worldwide (see Table 19.1). Public Key Partners (PKP) licenses the patent, along 
with other public-key cryptography patents (see Section 25.5). The U.S. patent will 
expire on August 19, 1997. 



\ 



\ 



\ 



19.3 RSA 

* • 

Soon after Merkle's knapsack algorithm came the first full-fledged public-key algo- 
rithm, one that works for encryption and digital signatures: RSA [1328,1329]. Of all 
the public-key algorithms proposed over the years, RSA is by far the easiest to 
understand and implement. (Martin Gardner published an early description of the 
algorithm in his "Mathematical Games" column in Scientific American [599].) It is 





Tabic 19.1 




Foreign Merkle 


•Hellman Knapsack Patents 


Country 


Number 


Date of Issue 


Belgium 


871039 


5 Apr 1979 


Netherlands 


7810063 


10 Apr 1979 


Great Britain 


2006580 


2 May 1979 


Germany 


2843583 


10 May 1979 


Sweden 


7810478 


14 May 1979 


France 


2405532 


8 Jun 1979 


Germany 


2843583 


3 Jun 1982 


Germany 


2857905 


15 Jul 1982 


Canada 


1128159 


20 Jul 1982 


Great Britain 


2006580 


18 Aug 1982 


Switzerland 


63416114 


14 Jan 1983 


Italy 


1099780 


28 Sep 1985 
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also the most popular. Named after the three inventors — Ron Rivest, Adi Shamir, 
and Leonard Adleman — it has since withstood years of extensive cryptanalysis. 
Although the cryptanalysis neither proved nor disproved RSA's security, it does sug- 
gest a confidence level in the algorithm. 

RSA gets its security from the difficulty of factoring large numbers. The public 
and private keys are functions of a pair of large (100 to 200 digits or even larger) 
prime numbers. Recovering the plaintext from the public key and the ciphertext is 
conjectured to be equivalent to factoring the product of the two primes. 

To generate the two keys, choose two random large prime numbers, p and q. For 
maximum security, choose p and q of equal length. Compute the product: 

n=pq 

Then randomly choose the encryption key, e, such that e and (p - l)(q - 1) are rela- 
tively prime. Finally, use the extended Euclidean algorithm to compute the decryp- 
tion key, d, such that 

ed= 1 (mod (p- 1){<j-1|) 
In other words, 

d = e~ l mod((p-l)(<j-l)) 

Note that d and n are also relatively prime. The numbers e and n are the public 
key ; the number d is the private key. The two primes, p and q, are no longer needed. 
They should be discarded, but never revealed. 

To encrypt a message m, first divide it into numerical blocks smaller than n (with 
binary data, choose the largest power of 2 less than n). That is, if both p and q are 
100-digit primes, then n will have just under 200 digits and each message block, m u 
should be just under 200 digits long. (If you need to encrypt a fixed number of 
blocks, you can pad them with a few zeros on the left to ensure that they will always 
be less than n. The encrypted message, c, will be made up of similarly sized message 
blocks, c„ of about the same length. The encryption formula is simply 

c, = m/ mod n 

To decrypt a message, take each encrypted block c, and compute 

xrii = cf mod n 

Since 

cf = (m?) d = = ml** -• 1H * " 11 + 1 = n^m/ 1 " " lH * - 11 = m,* 1 = m i; all 
(mod n) 

the formula recovers the message. This is summarized in Table 19.2. 

The message could just as easily have been encrypted with d and decrypted with 
e; the choice is arbitrary. I will spare you the number theory that proves why this 
works; most current texts on cryptography cover it in detail. 

A short example will probably go a long way to making this clearer. If p = 47 and 
q=71, then 
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Tabic 19.2 
RSA Encryption 



Public Key: 

product of two primes, p and q [p and q must remain secret) 
relatively prime to [p - l)[q - 1) 



Private Key: 



d e- l mod((p-l)(<?-l)) 

Encrypting: 

c-m e mod n 

Decrypting: 

m = c d mod n 



n =pg = 3337 

< 

The encryption key, e, must have no factors in common with 

11 = 46 * 70 = 3220 
Choose e (at random) to be 79. In that case 

d = 79"' mod 3220 =1019 

This number was calculated using the extended Euclidean algorithm (see Section 
1 1.3). Publish e and n, and keep d secret. Discard p and q. 
To encrypt the message 

m = 6882326879666683 

first break it into small blocks. Three-digit blocks work nicely in this case. The mes- 
sage is split into six blocks, in which 

m x =688 
hi2 = 232 
m 3 = 687 
m 4 = 966 
m 5 = 668 
m 6 = 003 

The first block is encrypted as 

688 79 mod 3337= 1570 = d 

Performing the same operation on the subsequent blocks generates an encrypted 
message: 

c = 1570 2756 2091 2276 2423 158 

Decrypting the message requires performing the same exponentiation using the 
decryption key of 1019, so 
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1570 1019 mod 3337 = 688 = m Y 
The rest of the message can be recovered in this manner. 

RSA in Hardware 

Much has been written on the subject of hardware implementations of RSA [1314, 
1474, 1456, 1316, 1485,874, 1222,87, 1410, 1409, 1343,998,367, 1429,523, 772]. Good sur- 
vey articles are [258,872]. Many different chips perform RSA encryption [1310,252, 
1101,1317,874,69,737,594,1275,1563,509,1223]. A partial list of currently available 
RSA chips, from [150,258], is listed in Table 19.3. Not all are available on the open 
market. 

Speed of RSA 

In hardware, RSA is about 1000 times slower than DES. The fastest VLSI hard- 
ware implementation for RSA with a 512-bit modulus has a throughput of 64 kilo- 
bits per second [258]. There are also chips that perform 1024-bit RSA encryption. 
Currently chips are being planned that will approach 1 megabit per second using a 
512-bit modulus; they will probably be available in 1995. Manufacturers have also 
implemented RSA in smart cards; these implementations are slower. 

In software, DES is about 100 times faster than RSA. These numbers may change 
slightly as technology changes, but RSA will never approach the speed of symmet- 
ric algorithms. Table 19.4 gives sample software speeds of RSA [918]. 

Software Speedups 

RSA encryption goes much faster if you're smart about choosing a value of e. The 
three most common choices are 3, 1 7, and 65537 (2 16 + 1 ). (The binary representation 
of 65537 has only two ones, so it takes only 17 multiplications to exponentiate.) 
X.509 recommends 65537 [304], PEM recommends 3 [76], and PRCS #1 (see Section 
24.14) recommends 3 or 65537 [1345]. There are no security problems with using 



Table 19.3 
Existing RSA Chips 





Clock 


Baud Rate 


Clock Cycles 
Per 512 Bit 




Bits per 


Number of 


Company 


Speed 


Per 512 Bits 


Encryption 


Technology 


Chip 


Transistors 


Alpha Techn. 


25 MHz 


13 K 


.98 M 


2 micron 


1024 


180,000 


AT&T 

British Telecom 


15 MHz 
10 MHz 


19 K 

5.1 K 


.4M 
1 M 


1.5 micron 
2.5 micron 


298 
256 


100,000 


Business Sim. Ltd. 


5 MHz 


3.8 K 


.67 M 


Gate Array 


32 




Calmos Syst. Inc. 
CNET 
Cryptech 
Cylink 


20 MHz 
25 MHz 
14 MHz 
30 MHz 


28 K 
5.3 K 

17K 
6.8 K 


.36 M 
2.3 M 
.4M 
1.2 M 


2 micron 
1 micron 
Gate Array 
1.5 micron" 


593 
1024 

120 
1024 


95,000 
100,000 

33,000 
150,000 


GEC Marconi 


25 MHz 


10.2 K . 


.67 M 


1 .4 micron 


512 


160,000 


Pijnenburg 


25 MHz 


50 K 


.256 M 


1 micron 


1024 


400,000 


Sandia 


8 MHz 


10 K 


.4M 


2 micron 


272 


86,000 


Siemens 


5 MHz 


. 8.5 K 


.03 M 


1 micron 


512 


60,000 
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